Tag Archives: mcafee

6 Tricks and Tools for Securing Your Data

Technology is something of a double-edged sword for insurance brokers. It provides us with the perfect tools to offer accurate field underwriting, efficient claims and policy processing, thorough record-keeping and faster issuing of policies.

But that’s just one side of the story.

On the other side—the darker, far uglier underside—technology has opened us up to liabilities and compliance nightmares through data breaches, hackers and other cybersecurity risks.

See also: How Safe Is Your Data?  

While these cybersecurity threats should keep brokers on their toes, they don’t have to transform you into a tech-fearing Luddite. Here are six tips to help you avoid cybersecurity threats while still embracing technology:

1. Stay aware of the threats. From Trojans to worms, viruses to hackers, disgruntled employees to simple mistakes, potential data breaches lurk around every corner. You can stay aware of the changing threat environment and protect yourself with a system such as McAfee or AVG, but you also need to occasionally read tech blogs to understand what new threats are emerging.

2. Control your user permissions. With employees coming and going, people working remotely and more smartphones accessing company networks, it’s more important than ever to tightly control user permissions within your brokerage. Limit the access that offsite employees have and make sure to revoke unnecessary permissions when employees leave or change positions. Software such as Varonis can assist you.

3. Update passwords regularly and frequently. One of the easiest ways for a hacker to breach your system is by cracking your password—which is increasingly easy to do when the most popular passwords include “password” and “123456.” Make sure you and each of your employees changes passwords several times a year. You can use programs such as Dashlane Business to manage passwords, generate unique passwords and create two-factor sign-in authentication for device access.

4. Stay safe in the cloud. Brokers are increasingly relying on cloud-based data storage solutions, but not every cloud is created equal. Make sure the clouds you use have features such as encryption when files are being transferred as well as when they’re not. Secure clouds use data file “sharding”—a process in which data is broken up into several different portions, each of which is encrypted separately.

See also: New Channels, New Data for Innovation  

5. Create a post-breach action plan. None of us ever intends to be breached, but even if we do all we can to avoid it we could still become victims. If we do, we need to act quickly. That’s why it’s good to have a post-breach action plan as part of your general disaster planning.

6. Choose the right collaborative software. Whether you have employees working remotely or you have online meetings and webinars, you need to choose collaborative software that minimizes your risk of data breach. Choose tools that encrypt messages and have two-factor authentication at sign-in. There are many options, including HighQ and Syncplicity.

Cyber Risk: The Expanding Threat

Summary

— Interest in cyber insurance and risk has grown beyond expectations in 2014 and 2015 as a result of high-profile data breaches, including a massive data breach at health insurer Anthem that exposed data on 78.8 million customers and employees and another at Premera Blue Cross that compromised the records of 11 million customers. The U.S. government has also been targeted by hackers in two separate attacks in May 2015 that compromised personnel records on as many as 14 million current and former civilian government employees. A state-sponsored attack against Sony Pictures Entertainment, allegedly by North Korea, made headlines in late 2014.

— Cyber attacks and breaches have grown in frequency, and loss costs are on the rise. In 2014, the number of U.S. data breaches tracked hit a record 783, with 85.6 million records exposed. In the first half of 2015, some 400 data breach events have been publicly disclosed as of June 30, with 117.6 million records exposed. These figures do not include the many attacks that go unreported. In addition, many attacks go undetected. Despite conflicting analyses, the costs associated with these losses are increasing. McAfee and CSIS estimated the likely cost to the global economy from cyber crime is $445 billion a year, with a range of between $375 billion and $575 billion.

–Insurers are issuing an increasing number of cyber insurance policies and becoming more skilled and experienced at underwriting and pricing this rapidly evolving risk. More than 60 carriers now offer stand-alone cyber insurance policies and insurance broker Marsh estimates the U.S. cyber insurance market was worth more than $2 billion in gross written premiums in 2014, with some estimates suggesting it has the potential to grow to $5 billion by 2018 and $7.5 billion by 2020. Industry experts indicate rates are rising, especially in business segments hit hard by breaches over the past two years.

— Some observers believe that cyber exposure is greater than the insurance industry’s ability to adequately underwrite the risk. Cyberattacks have the potential to be massive and wide-ranging because of the connected nature of this risk, which can make it difficult for insurers to assess the likely severity. Several insurers have warned that the scope of the exposures is too broad to be covered by the private sector alone, and a few observers see a need for government coverage akin to the terrorism risk insurance programs in place in several countries.

See the full white paper here.

How to Keep Malware in Check

Firewalls are superb at deflecting obvious network attacks. And intrusion detection systems continue to make remarkable advances. So why are network breaches continuing at an unprecedented scale?

One reason is the bad guys are adept at leveraging a work tool we all use intensively every day: the Web browser. Microsoft Explorer, Mozilla Firefox, Google Chrome and Apple Safari by design execute myriad tiny programs over which network administrators have zero control. Most of this code execution occurs with no action required by the user. That’s what makes browsers so nifty.

A blessing and a curse

But that architecture is also what makes browsers a godsend for intruders. All a criminal hacker has to do is slip malicious code into the mix of legit browser executable code. And, as bad guys are fully aware, there are endless ways to do that.

Stay informed with a free subscription to SPWNR

The result: The majority of malware seeping into company networks today arrives via infectious code lurking on legit, high-traffic websites. The hackers’ game often boils down to luring victims to click to an infected site, or simply just waiting to see who shows up and gets infected.

So if browsers represent a wide open sieve to company networks, could inoculating browsers be something of a security silver bullet? A cadre of security start-ups laser-focused on boosting browser security is testing that notion. The trick, of course, is to do it without undermining usability.

spike

Branden Spikes, Spikes Security founder and CEO

ThirdCertainty recently sat down with one of these security innovators, Branden Spikes, to discuss the progress and promise of improving Web browser security. Spikes left his job as CIO of SpaceX, where he was responsible for securing the browsers of company owner Elon Musk’s team of rocket scientists, to launch an eponymous start-up, Spikes Security. (Answers edited for clarity and length.)

3C: The idea of making Web browsing more secure certainly isn’t new.

Spikes: Let me break it down by drawing a line between detection and isolation. Browser security has been attempted with detection for many, many years, and it’s proven to not work. McAfee, Symantec, Sophos, Kaspersky and all the anti-virus applications that might run on your computer became Web-aware a while back. They all try to use detection mechanisms to prevent you from going to bad places on the Web.

Then you have detection that takes place at secure Web gateways. Websense, Ironport (now part of Cisco), Blue Coat, Zscaler and numerous Web proxies out there have security features based on the concept of preventing you from going to places that look malicious or that are known to be bad. Well, hackers have figured out how to evade detection, so that battle has been lost.

3C: Okay, so you and other start-ups are waging the browser battle on a different front?

Spikes: When you realize that detection doesn’t work, now you have to isolate. You have to say, :You know, I don’t trust browsers anymore. Therefore, I’m not going to let my stuff interact with the Web directly.” In the past five years, newer products have started to offer browser isolation technology. We’ve taken a very no-compromise approach to isolation technology.

Free IDT911 white paper: Breach, Privacy, And Cyber Coverages: Fact And Fiction

3C: So instead of detecting and blocking you’re isolating, and sort of cleansing, browser interactions?

Spikes: Yes, and much like with detection technology, isolation can exist in either the endpoint or on the network. Some examples of endpoint isolation might be Invincea or Bromium, where you’ve got your sandboxes that do isolation on the endpoint. I applaud all the efforts out there. It spreads the whole gamut from minimal amount of isolation to sandbox technologies built into browsers. There’s quite a bit of investment going into this.

3C: Your approach is to intercept browser activity before it can execute on the worker’s computer.

Spikes: If you come at the problem from the assumption that all Web browsers are fundamentally malware, you can understand our technology. We essentially take the malware off the endpoint entirely, and we isolate the execution of Web pages on a purpose-built appliance. What goes to the end user is a very benign stream of images and sound. There’s really no way for malware to get across that channel.

3C: If browser security gets much better, at least in the workplace, how much will that help?

Spikes: If we successfully solve the browser malware problem, we could, I think, allow for more strategically important things to occur in cybersecurity. We could watch the other entry points that are less obvious. This sort of rampant problem with the browser may have taken some very important attention away from other entry points into the network: physical entry points, social engineering and some of the more dynamic and challenging types of attacks.

‘Interactive Finance’: Meshing with Google

The insurance industry is poised to enhance its power, burnish its prestige and increase its income in the 21st century by developing interactive finance to mesh with Internet enterprises. By interactive finance, I mean rewarding institutions and individuals with financial or strategic advantage for revealing information that details risk.

Insurance industry success requires recognizing information as this century’s distinct commodity, analogous to steam in the 19th and oil in the 20th. Information also needs to be seen as an indispensable element in fresh, emerging digital currencies.

Information technologies are adequately mature, and mobile and broadband communications networks sufficiently widespread, that digital currencies like Bitcoin are beginning to emerge. Cognitive computing, big data, parallelization, search, capture, curation, storage, sharing, transfer, analysis and visualization are commonplace; three-quarters of American households enjoy broadband access; and nine in 10 Americans carry mobile telephones. User-generated information now is everywhere.

Insurance industry leaders would be wise to cultivate interactive finance. It could be used to manage institutional investments with less risk and more liquidity. Interactive finance could also be used with retail consumers to create experiences, incentives and products to help manage what promises to be massive, new wealth.

A key part of interactive finance — navigating crowds and matching parties — is up and running. For instance, with Airbnb and accommodation or Uber and ride sharing, individuals reveal information voluntarily to enable counter party matching. Both are emerging as phenomenally successful simply by using information in new ways to create efficient markets.

The glimmerings of these potential gold mines are now eliciting insightful commentaries about how insurers might aggregate and parse information gathered through “crowd-sourcing.” Sharing portions of the reward with institutions and individuals through protected communications channels — also known as interactive finance — will provide the broad avenues and fastest expressways to 21st century wealth among insurers.

In two, insightful articles published here on ITL, Denise Garth discerns the key value of information. “Consider the explosion of new data that will be available and valuable in understanding the customers better so as to personalize their experience, provide insights, uncover new needs and identify new products and services that they may be unaware of,” she observes of the strategic alliance betweenFacebook and AXA. “For insurers, the coming years promise unparalleled opportunity to increase their value to their customers. Those that are best able to capitalize on the key technology influencers will reap the most in rewards,” Garth notes in an earlier article on Google.

Indeed, Facebook is poised to offer a money-transfer service in Europe. Pending regulatory approval in Ireland, Facebook would be permitted to employ user deposits in fiat currencies to become a payment services powerhouse with what seems tantalizingly close to a virtual currency. “Authorization from the central bank to become an ‘e-money’ institution would allow Facebook to issue units of stored monetary value that represent a claim against the company,” the Irish Times reported.

The company will use its acquisition of WhatsApp for access and traffic and will build on its 30% participation in revenue with Candy Crush Saga and Farmville games. Facebook will also take advantage of “‘passporting,’ which allows digital payments to be used across EU member states without having to gain regulatory approval from each one,” according to a news report.

Should Facebook succeed, AXA’s partnership with Facebook would put it well ahead of its competition in employing mobile markets to acquire and retain clients.

In an article on ITL on how Amazon could get into insurance, Sathyanarayanan Sethuraman enumerates “the convenience of on-demand buying. . . personalization of product and service delivery.” Crucially, he notes the importance of “building trust through transparency in pricing,” which provides impelling “reasons for insurers and Amazon to create a distribution model to match ever-evolving customer demands.”

Brian Cohen indicates in a thoughtful commentary on ITL that companies can collect customer feedback that is volunteered on social media and can also use new channels to provide new types of information. For instance, he says that, when inclement weather approaches, agents can caution readers to secure objects that may cause damage to their property, as a means toward generating webpage traffic and strengthening client relationships.

Joseph Sebbag cautions that technological mismatches can threaten insurance industry value. “Insurers’ numerous intricate reinsurance contracts and special pool arrangements, countless policies and arrays of transactions create a massive risk of having unintended exposure,” he notes in an intriguing essay evaluating information technology and reinsurance.

Focusing on a company with which I am very familiar, former Comptroller General David Walker says Marketcore has transformative IP in interactive finance that could provide pathways to phenomenal growth for the insurance industry and, in general, finance. The mechanism is incentives for “truth, transparency and transformation” that will make risk vehicles and markets perform more efficiently and reliably. (Walker is honorary chairman of Marketcore; I am an adviser.)

Marketcore generates liquidity by rewarding individuals and institutions for sharing information, such as the history of individual loans being bundled into residential mortgage-backed securities. The reward could be a financial advantage, say a discount on the next interval of a policy for individuals purchasing retail products. The reward could also be a strategic advantage, say foreknowledge of risk exposure for institutions dealing in structured risks like residential mortgage-backed securities or bonds, contracts, insurance policies, lines of credit, loans or securities.

Through interactive finance, Marketcore creates efficient markets for insurers and reinsurers. All do well as each does good. Risk determination permits insureds, brokers and carriers to update risks through “a transparency index. . . based. . . on the quality and quantity of the risk data records.” Component analysis of pooled securities facilitates drilling down in structured risk vehicles so insurers and reinsurers can address complex reinsurance contracts and special pool arrangements with foreknowledge of risk. Real time revaluation of contracts clarifies “the risk factors and valuation of [an] instrument” and, in so doing, “increases liquidity and tracks risks’ associated values even as derivative instruments are created.”

These interactive finance capabilities are at tipping points for insurers and reinsurers, as outlined so thoughtfully by Garth, Sethuraman and Cohen.

As those thought leaders say, large Internet enterprises like Google, Amazon and Facebook are striving for market reach and domination. Because of distributed wire line and wireless networks and the Internet, experts project that global trade will grow to $45 trillion from $6.5 trillion in less than 10 years. Global mobile transactions are projected to show more than 33% average annual growth, with 450 million users in a $720 billion market by 2017.

Only if Amazon, Facebook and Google offer new services can they exert market power in global electronic commerce analogous to late 19th century railroads, energy and steel industries. Each of them needs services like insurance no less than railroads required passengers and freight; than coal and oil required factories, homes, offices and motor vehicles; than steel required cities, railroads, trollies and cars. These Internet enterprises must have insurance, among other services associated with their brands, to remain dominant. All seek to create voluntary, de facto, walled gardens for their brands, and what better way to do so than to get users to rely on their brands to manage risks and pay bills?

None of these Internet search-and-connect giants can recoup its investments in mobile applications, drones and data centers unless it has voluminous, recurrent transactions and traffic engaging its mobile capabilities. For instance, Derek Thompson reports that the iPhone drives 60% of Apple revenue and that mobile advertising accounts for 60% of Facebook advertising revenue. John Greathousespells out the implications for advertising in a thoughtful essay on conversion rates and mobile formats. A service like insurance brings in users and encourages stickiness. In this way, insurance is the correlative to apps, drones and data centers. All these Internet giants are less without it.

Similarly, consumers and institutions are keen to participate in the value that they create with their participation in information technology and communications networks. Citizens and consumers, while resenting unremitting spying, shrug off the constant sale of metrics about their data to advertisers as inescapable and would love to turn tables on all these massive, intrusive public- and private-sector forces. People would willingly patronize a firm rewarding them for revealing risk information that they are comfortable sharing.

By rewarding institutions and individuals with financial or strategic advantage for voluntarily revealing risk-detailing information, interactive finance expressly rewards users for what they forego voluntarily with daily Internet use.

At this stage, the Internet firms have first-mover advantage when it comes to gathering and using people’s information. When I recently watched streaming video of Masterpiece Theatre’s “Mr. Selfridge,” there was the anomalous propinquity of an advertisement for an Internet tire seller in the bottom right portion of my display – within a day or so of my searching Google for motor vehicle tires. Clearly, Google, Internet ad placers and, in my case, the tire vendor are selling and purchasing access to user experiences. The sole party excluded from the value chain is the person who creates value in the information.

Earlier loyalty programs prefigure some of the notions of interactive finance. In mid-20th century America, supermarkets, gasoline stations and retailers often rewarded customer loyalty with S&H Green Stamps. Airlines, grocery chains and hotels employ loyalty programs and provide reward cards to provide incentives for recurrent patronage. In keeping with the times, Bellycard supports customer retention with a scannable card and mobile application. Each time I buy Italian bread and scan the card at the local bakery, I earn points toward a pastry.

What of insurance brokers, who reward consumers with incentives on forthcoming purchases for revealing risk information that they are comfortable sharing? Or insurer carriers, which protect asset values and boost shareholder confidence through enhanced capacities for risk detection and real-time valuation of risk exposures?

From here on out, the emphasis needs to be on rewarding customers and institutions by enabling them to create wealth with the information they are willing to reveal and by commanding information as a commodity and as the cornerstone component of emerging digital currencies. Insurers that can tap Internet industry demands for users, provide rewards for information and equip themselves to manage their risks more effectively can position themselves to dominate their sector well into the second quarter of the 21st century.

“Insurance is above all a relationship,” remarks Elise Manzi, account manager with Biddle & Company Insurance Brokers, based in Newtown Square, Pennsylvania. “We’re devoted to continuing to provide our clients with the exceptional services they have come to expect of us through these new communications capabilities. Interactive finance sounds like a great relationship builder.”

Ernest Tedesco, head of Philadelphia-based Webesco, says, “For brokers, web services support client retention and communication. For large retail carriers like Progressive and Geico, web services enable them to reach consumers directly with service and product offerings. Anything kludgy on one of these sites will send customers scurrying to competitors.” He adds that if Google and other Internet giants get into the retail insurance space, current industry leaders need to be ready to respond aggressively with technology or will be disintermediated. “Back-office executives managing trillions in risk will find themselves at competitive disadvantage without real-time and near-real-time risk detection, which web services visualize.”

By meshing with Internet industry firms on interactive finance terms, the insurance industry will have all the strength of the Internet yet sustain more discretion to manage institutional and customer experiences on terms much more favorable than those that musicians and publishers experience with Apple.

As Erik Brynjolffson and Andrew McAfee point out in The Second Machine Age, digitization both spawns vast new bounty and stimulates an increasingly drastic spread between the small fraction of winners and everyone else.

How better to build crowds and grow volumes than to provide incentives to customers by rewarding them for sharing information they are willing to reveal and to serve institutional clients with foreknowledge of oncoming risks to sustain competitive advantage and protect liquidity.

It is as straightforward as that.

For my part, I am optimistic about Marketcore because its IP enables insurance industry adopters to organize, channel and reward rich, diverse crowds of capital accumulation through interactive finance. Large, incumbent Internet firms like Amazon, Facebook and Google may still prosper from first-mover advantages based, in part, on recognition that information is the distinct commodity of the 21stcentury. But each and all now must offer more to maximize return on investments in capital-intensive operations. And that’s where any insurers, deploying Marketcore IP as sword and shield, stand most to gain for themselves and the people and institutions whose trust they hold.

 

A Look At Cyber Risk Of Financial Institutions

Overview Of The Risk
There were more than 26 million new strains of malware released into circulation in 2011. Such a rate would produce nearly 3,000 new strains of malware an hour! Almost two-thirds of U.S. firms report that they have been the victim of cyber-security incidents or information breaches. The Privacy Rights Clearinghouse reported that since 2005, more than 534 million personal records have been compromised. In 2011, 273 breaches were reported, involving 22 million sensitive personal records. The Ponemon Group, whose Cost of Data Breach Study is widely followed every year, indicated a total cost per record of $214 in 2011, an increase of over 55% ($138) compared to the cost in 2005 when the study began.

Other surveys are consistent. NetDiligence, a company that provides network security services on behalf of insurers, reported in their “2012 Cyber Risk and Privacy Liability Forum” the results of their analysis of 153 data or privacy breach claims paid by insurance companies between 2006 and 2011. On average, the study said, payouts on claims made in the first five years total $3.7 million per breach, compared with an average of $2.4 million for claims made from 2005 through 2010.

And attacks simply don't target large companies. According to Symantec's 2010 SMB Protection report, small busineses:

  • Sustained an average loss of $188,000 per breach
  • Comprised 73% of total cyber-crime targets/victims
  • Lost confidential data in 42% of all breaches
  • Suffered direct financial losses in 40% of all breaches

Indeed, according to the 2011 Verizon Data Breach Report, in 2010, 57% of all data breaches were at companies with 11 to 100 employees. Interestingly, it was the Report's opinion that 96% of such breaches could have been prevented with appropriate controls. Bottom line: cyber attacks are here to stay — and in many ways, they are getting worse.

A Look At The Financial Institution Sector
Willy Sutton once infamously remarked that he robs bank because “that's where the money is.” According to Professor Udo Helmbrecht, the Executive Director of the European Networking and Information Security Agency, if Willy Sutton was alive today, he would rob banks online.

Criminals today can operate miles, or even oceans, away from the target. “The number and sophistication of malicious incidents have increased dramatically over the past five years and is expected to continue to grow,” according to Gordon Snow, Assistant Director of the Cyber Division of the Federal Bureau of Investigation (testifying before the House Financial Services Committee, Subcommittee on Financials Institutions and Consumer Credit). “As businesses and financial institutions continue to adopt Internet-based commerce systems, the opportunity for cybercrime increases at the retail and consumer level.” Indeed, according to Snow, the FBI is investigating 400 reported account takeover cases from bank accounts of US businesses. These cases total $255 million in fraudulent transfers and has resulted in $85 million in actual losses.

According to the FBI, there are eight cyber threats that expose both the finances and reputation of financial institutions: account takeovers, third-party payment process breaches, securities and market trading company breaches, ATM skimming breaches, mobile banking breaches, insider access, supply chain infiltration, and telecommunications network disruption.

It was telecommunications network disruption that dominated the news in 2012.

Otherwise known as a distributed denial of service attack, US banks were attacked repeatedly throughout the year by sophisticated cyber “criminals” whose attacks were eventually sourced to the nation of Iran in what would truly be considered a Cyber War attack against this country's infrastructure.

Among the institutions hit were PNC Bank, Wells Fargo, HSBC, and Citibank, among many others. Big or small, it made no difference. At the end of the day, as many as 30 US banking firms are expected to be targeted in this wave of cyber attacks, according to the security firm RSA. And it is likely that we are not at the end of the day. On January 9, 2013, the computer hacking group that has claimed responsibility for cyber attacks on PNC Bank vowed to continue trying to shut down American banking websites for at least the next six months.

That is not to say that financial situations only had to worry about distributed denial of service attacks launched by hostile nation states in 2012.

On December 13, 2012 the Financial Services Information Sharing and Analysis Center, which shares information throughout the financial sector about terrorist threats, warned the US financial services industry that a Russian cyber-gangster is preparing to rob American banks and their customers of millions of dollars. According to the computer security firm, McAfee, the cyber criminal, who calls himself the “Thief-in-Law,” already has infected hundreds of computers of unwitting American customers in preparation to steal that bank account data.

Of course not all threats look like they come from the latest 007 flick. On October 12, 2012, the Associated Press reported TD Bank had begun notifying approximately 260,000 customers from Maine to Florida that the company may been affected by a data breach. Company spokeswoman Rebecca Acevedo confirmed to the Associated Press that unencrypted data backup tapes were “misplaced in transport” in March 2012. She said the tapes contained personal information, including account information and security numbers. It is unclear why the bank waited until October to notify customers. Over 46 states now have mandatory notification laws that dictate prompt notification to bank customers of missing or stolen “Personally Identifiable Information.” Failure to make timely notification can, and often does, prompt customer lawsuits and regulatory investigations.

The bottom line: you cannot be a financial institution operating in the 21st Century and not have a cyber risk management plan which includes the purchase of cyber insurance.

The Cyber Insurance Market
With these facts, it is not surprising that the cyber insurance market has grown tremendously from its initial beginning in 2000. Starting with what was the brainchild of AIG and Lloyds of London, the market has grown to over 40 insurance providers. A widely accepted statistic is that the market now produces over $1 billion in premium to insurance carriers on a worldwide basis.

Despite the increasing claim activity, informal discussions with the market continue to indicate that cyber risk is a profitable business. Perhaps, it is for this reason, cyber premium rates are flat to down 5% according to industry reports in the market where rates in property-casualty are generally increasing.

Carriers also see this as an area where there are many non-buyers, and statistics seem to back them up. According to the “Chubb 2012 Public Company Risk Survey: Cyber,” 65% of public companies surveyed do not purchase cyber insurance, yet 63% of decision-makers are concerned about this cyber risk. A risk area with a high level of concern but little purchase of insurance is an insurance broker's dream. In a recent Zurich survey of 152 organizations, only 19% of those surveyed have bought cyber insurance despite the fact that 76% of companies surveyed expressed concern about their information security and privacy.

It is unclear why there aren't more buyers but most of the industry believes it's a lack of education. For example, previous surveys indicated that over 33% of companies incorrectly believe that cyber risk is covered under their general corporate liability policy.

It is then perhaps not surprising that the Betterley 2012 market report stated “we think this market has nowhere to go but up” Although, they quickly qualified, “as long as carriers can still write at a profit.”